Bug#335276: marked as done (openssh-client: unnecessary prompting about conffile)
Your message dated Sat, 23 Dec 2006 10:33:56 +0000
with message-id <20061223103356.GH28442@riva.ucam.org>
and subject line Bug#335276: openssh conffile prompt: /etc/ssh/moduli
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: openssh-client
Version: 4.2p1-5
Severity: important
File: /etc/ssh/ssh_config
There was also a really messy diff about /etc/ssh/moduli.
--- /etc/ssh/ssh_config 2004-03-10 06:29:56.000000000 -0500
+++ /etc/ssh/ssh_config.dpkg-new 2005-10-07 08:11:41.000000000 -0400
@@ -1,4 +1,4 @@
-# $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $
+# $OpenBSD: ssh_config,v 1.20 2005/01/28 09:45:53 dtucker Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
@@ -13,9 +13,11 @@
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
-# Site-wide defaults for various options
+# Site-wide defaults for some commonly used options. For a comprehensive
+# list of available options, their meanings and defaults, please see the
+# ssh_config(5) man page.
-# Host *
+Host *
# ForwardAgent no
# ForwardX11 no
# ForwardX11Trusted yes
@@ -36,3 +38,5 @@
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
+ SendEnv LANG LC_*
+ HashKnownHosts yes
--- /etc/default/ssh 2003-04-01 18:57:35.000000000 -0500
+++ /etc/default/ssh.dpkg-new 2005-10-07 08:11:41.000000000 -0400
@@ -1,4 +1,4 @@
-# Default settings for ssh. This file is sourced by /bin/sh from
+# Default settings for openssh-server. This file is sourced by /bin/sh from
# /etc/init.d/ssh.
# Options to pass to sshd
--- /etc/pam.d/ssh 2004-03-10 06:29:05.000000000 -0500
+++ /etc/pam.d/ssh.dpkg-new 2005-10-07 08:09:57.000000000 -0400
@@ -1,8 +1,5 @@
# PAM configuration for the Secure Shell service
-# Disallow non-root logins when /etc/nologin exists.
-auth required pam_nologin.so
-
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth required pam_env.so # [1]
@@ -25,5 +22,8 @@
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
+# Set up SELinux capabilities (need modified pam)
+# session required pam_selinux.so multiple
+
# Standard Un*x password updating.
@include common-password
--- End Message ---
--- Begin Message ---
On Thu, Dec 14, 2006 at 02:03:45PM -0500, Justin Pryzby wrote:
> On Thu, Dec 14, 2006 at 12:20:10PM -0500, Justin Pryzby wrote:
> > reopen 335276
> > found 335276 1:4.3p2-7
> > thanks
> >
> > I'm afraid this just happened again, this time with /etc/ssh/moduli.
> > I don't know what this file does. Should it be included with the package?
Yes; it's used for Diffie-Hellman group generation by both ssh-keygen
and sshd. It has a man page and everything ...
> > It it modified somehow, somewhen?
1:4.3p2-7 changed it by request in bug #335259. It is not edited by
maintainer scripts.
> > 2006-12-14 11:36:32 upgrade openssh-server 1:4.3p2-6 1:4.3p2-7
> >
> > $ md5sum /etc/ssh/moduli* openssh-client-1\:4.3p2-6/etc/ssh/moduli
> > 45e8268b1994ab38d5309eed05ba003c /etc/ssh/moduli
> > 085771ebb2b6cfe60b84ad094de0788a /etc/ssh/moduli.dpkg-old
> > d93b0dd7a654a68e39361caff3f3061e openssh-client-1:4.3p2-6/etc/ssh/moduli
Well, that almost certainly indicates that you modified it
inadvertently, perhaps in the process of resolving a previous conffile
prompt from an upgrade before this bug was fixed. Please only reopen
this bug if you can demonstrate that it was a truly unmodified conffile.
Not *all* conffile prompts are bugs - only those where the admin
genuinely never touched the conffile. openssh's maintainer scripts don't
touch that file other than sometimes removing it to work around the old
dpkg bug that was the original cause of this bug report.
> This seems to be related to #335259; but, I'm somewhat confused, since I was of
> the impression that the test was:
>
> if [ md5sum(new-conffile) = dpkg-status-md5 ]
> # Do nothing; the maintainer did not update the conffile
> else if [ md5sum(file-on-disk) = dpkg-status-md5 ]
> # The maintainer changed the conffile, but the admin did not
> install_new_file
> echo "Installed new file"
> else
> # Both the admin and the maintainer changed it
> conffile_prompt
> endif
>
> This algo should hit the second case and display an informative message, but
> not prompt.
>
> A possibly solution might be to
> grep -v '^# $OpenBSD' |md5sum |sed
All the logic above is in dpkg, not openssh, so hardcoding OpenBSD would
make no sense. There is absolutely no way I'm going to edit
/var/lib/dpkg/status from openssh's maintainer scripts, if that's what
you're suggesting.
> I note another case which could be added after the first, avoiding some
> needless prompts:
>
> else if [ md5sum(file-on-disk) = md5sum(new-conffile) ]
> # The admin may have changed the conffile, but the contents are identical
> # to the maintainer's new version
> install_new-conffile
Perhaps you should look at dpkg/src/configure.c, which already contains
such a test.
if (!strcmp(currenthash,newdisthash)) {
/* They're both the same so there's no point asking silly questions. */
useredited= -1;
distedited= -1;
what= cfo_identical;
}
Cheers,
--
Colin Watson [cjwatson@debian.org]
--- End Message ---
Reply to: